Currently, the only public proof-of-concept exploit code for the infamous BlueKeep vulnerability is a module for the Metasploit penetration testing framework.
The BlueKeep Metasploit module was put together from a proof-of-concept code donated by RiskSense security researcher Sean Dillon (@zerosum0x0) over the summer.
While the exploit works, it has a downside, namely that on some systems it can crash the target with a Blue Screen of Death (BSOD) error, instead of granting the attackers a remote shell.
This BSOD error is how security researcher Kevin Beaumont discovered the first BlueKeep-based attacks in the real-world last week after he noticed that 10 of his 11 RDP honeypots were down with a BSOD error.
However, this week, the BlueKeep Metasploit module will get a fix for this bug. The fix removes the BSOD error and makes BlueKeep attacks more reliable.
BlueKeep was crashing because of the Meltdown patch
In an interview with ZDNet over the weekend, Dillon said the root cause of the BSOD errors was Microsoft's patch for the Meltdown Intel CPU vulnerability.
"From looking at screenshots of the analysis Marcus 'MalwareTech' Hutchins did, we know code execution was achieved and that the honeypots were crashing because the exploit did not support kernels with Meltdown," Dillon told ZDNet.
"The future BlueKeep Metasploit exploit will support kernels patched for Meltdown and does not even need a KVA Shadow mitigation bypass," he said.
[KVA Shadow is the technical name that Microsoft gave to the Meltdown patch. See here for details.]
The new BlueKeep exploit changes the exploit routine early in a BlueKeep attack, so a Meltdown patch bypass isn't even needed. Diving deeper into the technical details, Dillon told ZDNet:
"For the [BlueKeep] exploit payload to transition from kernel mode to a traditional user-mode payload (such as reverse TCP shell callback), we were changing the system call register in a way that was not allowed by the Meltdown KVA Shadow mitigation. After writing a bypass for the KVA Shadow mitigation, it was pointed out that the exploit payload could be written without needing to hook the system call at all. The need for a Meltdown bypass is actually unnecessary and part of wrong assumptions early on in the exploit development That is the fix that will be going in."
Some perspective from MalwareTech
What this means for all of us is pretty obvious. BlueKeep's public exploit is getting more reliable, meaning attackers have a higher chance of breaking into a company that runs at least one vulnerable system.
As Hutchins pointed out in a Twitter thread last week, the cyber-security community has focused too much on Microsoft's initial warning that BlueKeep could be used to create "wormable malware."
The result was that everybody missed the point that even if attackers don't create a BlueKeep-based worm, BlueKeep is still a major threat and should not be ignored.
"I'm not really worried about a worm, what I'm worried about is something that could be already happening," Hutchins said.
"Most BlueKeep vulnerable devices are servers. Generally speaking, Windows servers have the ability to control devices on the network. Either they're domain admin, have network management tools installed, or share the same local admin credentials with the rest of the network. By compromising a network server, it is almost always extremely easy to use automated tooling to pivot internally (Ex: have the server drop ransomware to every system on the network)," he added.
"The real risk with BlueKeep is not a worm. A worm is pointless and noisy. Once an attacker is on the network, they can do far more damage with standard automated tools than they could ever do with BlueKeep," Hutchins said.
"Remember all those news stories about entire networks being ransomwared? That starts with a single system being hacked. Not even a server, a normal, non admin, client system. Attackers don't need worms.
"People need to stop worrying about worms and start worrying about basic network security. Firewall your servers off from the internet, learn about credential hygiene. Occasionally worms happen, but every day there are entire networks compromised using only standard tools."
The BlueKeep lowdown
Because there's been a flood of BlueKeep-related coverage this year, below is a summary of what you need to know. Just the essentials:
- BlueKeep is a nickname given to CVE-2019-0708, a vulnerability in the Microsoft RDP (Remote Desktop Protocol) service.
- BlueKeep impacts only: Windows 7, Windows Server 2008 R2, Windows Server 2008.
- Patches have been available since mid-May 2019. See official Microsoft advisory.
- On the same day it released patches, Microsoft published a blog post warning about BlueKeep being wormable.
- Microsoft issued a second warning about orgs needing to patch BlueKeep, two weeks later, at the end of May.
- The US National Security Agency, the US Department of Homeland Security, Germany's BSI cyber-security agency, the Australian Cyber Security Centre, and the UK's National Cyber Security Centre have all issued their own security alerts, trying to get companies to patch outdated computer fleets.
- Many security researchers and cyber-security firms developed fully-working BlueKeep exploits over the summer; however, nobody published the code after realizing how dangerous the exploit was, and fearing that it could be abused by malware authors.
- In July, a US company started selling a private BlueKeep exploit to its customers, so they could test if their systems were vulnerable.
- In September, the developers of the Metasploit penetration testing framework published the first public BlueKeep proof-of-concept exploit.
- In late October, malware authors started using this BlueKeep Metasploit module in a real-world campaign. Microsoft has an article about this malware campaign here.
- According to BinaryEdge, there are roughly 700,000 internet-connected Windows systems that are vulnerable to BlueKeep, and have yet to receive patches.